China’s Typhoon ecosystem is a set of PRC state-sponsored campaigns that establish long-term, low-visibility access across critical infrastructure, telecom, government, and technology by abusing credentials, exploiting unpatched edge devices, and living off the land. Distinct clusters then use this trusted access for missions ranging from disruptive pre-positioning to large-scale espionage and supply-chain compromise while persisting quietly across patch cycles.

CYBER INSIGHTS CYBER INSIGHTS DEC 31, 2025 DEC 31, 2025

Overview

China’s state-sponsored Typhoon campaigns represent a sustained shift toward long-term access operations aimed at pre-positioning within critical infrastructure, telecommunications, government, and technology environments. These campaigns prioritize stealth, persistence, and operational readiness, relying on living-off-the-land techniques, valid credential abuse, and exploitation of unpatched edge devices such as firewalls, routers, and virtualization platforms. Observed intrusions show Typhoon operators maintaining covert access for months or years, often operating below traditional logging and endpoint-detection thresholds while embedding themselves within trusted infrastructure layers. Once established, actors move laterally through identity systems, network management planes, and virtualization environments to expand access while minimizing malware footprint and observable indicators. Real-world exploitation demonstrates that these operations are not theoretical; they have been observed disrupting and positioning access to energy, water, telecommunications, and government networks in the wild.

Key Findings:

  • PRC-linked Typhoon campaigns prioritize long-term, low-visibility access to infrastructure, often relying on valid credentials and native system functionality rather than noisy malware.
  • These operations consistently target network appliances, identity services, and virtualization management layers, exploiting gaps in monitoring and assumptions that such systems are inherently trusted.
  • Campaign activity shows clear differentiation in objectives: some Typhoon variants focus on disruption and prepositioning, while others emphasize espionage, expanding access, or intelligence collection at scale.
  • Real-world intrusions demonstrate that once initial access is achieved, operators can persist for extended periods, pivot into downstream environments, and access sensitive communications, credentials, and operational systems with minimal detection.
  • Immediate Actions: Inventory all internet-facing appliances, identity services, and virtualization management systems, validate their patch status and administrative access paths, and review recent authentication and configuration changes for signs of unauthorized or anomalous activity.

1.0 Threat Overview

1.1 Historical Context

China’s Typhoon campaigns are the result of a steady evolution in PRC cyber operations over more than a decade, building on earlier large-scale espionage activity and maturing into persistent access and pre-positioning efforts. Early milestones such as the 2014 U.S. indictment of People’s Liberation Army hackers and the 2015 Office of Personnel Management breach demonstrated China’s willingness to conduct expansive cyber espionage against U.S. government systems. Over time, these operations shifted away from overt data exfiltration toward quieter, longer-lived access models that reduce attribution risk and increase strategic utility. This transition reflects a broader PRC strategy that integrates cyber operations into gray-zone competition, blending intelligence collection, coercion, and preparation for potential conflict without crossing traditional thresholds of armed confrontation.

The emergence of the Typhoon actors marks a distinct phase in this evolution. Groups including Volt Typhoon, Flax Typhoon, Salt Typhoon, and later Linen, Violet, Silk, and Nylon Typhoon demonstrate specialized roles aligned to different operational objectives, including infrastructure disruption, mass data collection, signals intelligence, intellectual property theft, and policy-focused espionage. Since at least 2021, government and industry investigations have documented these actors exploiting edge devices, network infrastructure, and trusted administrative pathways to establish long-term, covert access across critical sectors. Rather than relying on constant malware deployment, Typhoon operators emphasize credential abuse, living-off-the-land techniques, and persistence within poorly monitored systems, enabling access to endure across patch cycles and incident response activity. This history shows a deliberate progression toward cyber capabilities designed not just to observe adversaries, but to shape operational conditions in advance of future geopolitical crises.

1.2 Campaign Breakdown

Chinese APT Campaign Focus & Attribution
Infrastructure Pre-Positioning
Volt Typhoon
Primary Objective
Pre-position access for potential disruption during conflict.
Core Characteristics
Credential abuse, edge device exploitation, LOTL techniques, OT-adjacent access, long-term persistence.
Key Targets
Energy, water, telecom, transportation.
Volt Typhoon Pre-Positioning Disruption Capability Credential Abuse Edge Device Exploitation LOTL OT-Adjacent Access Energy Water Telecom Transportation
Telecom & SIGINT
Salt Typhoon
Primary Objective
Access communications and surveillance data.
Core Characteristics
Router and backbone compromise, traffic collection, persistent network-level access.
Key Targets
Telecom providers, ISPs, lawful intercept systems.
Salt Typhoon Communications Access Surveillance Data Router Compromise Backbone Access Traffic Collection Network-Level Persistence Telecom Providers ISPs Lawful Intercept
IoT & Edge Espionage
Flax Typhoon
Primary Objective
Large-scale data collection and surveillance.
Core Characteristics
IoT exploitation, modular C2, persistence in low-visibility environments.
Key Targets
IoT devices, SMEs, infrastructure-adjacent networks.
Flax Typhoon Data Collection Large-Scale Surveillance IoT Exploitation Modular C2 Low-Visibility Persistence IoT Devices SMEs Infrastructure-Adjacent
Rapid Exploit Weaponization
Linen Typhoon & Violet Typhoon
Primary Objective
Fast intrusion via newly disclosed vulnerabilities.
Core Characteristics
Rapid vulnerability exploitation, early-access intrusions.
Key Targets
Government, defense, research.
Linen Typhoon Violet Typhoon Rapid Exploitation Early Access Vulnerability Weaponization Zero-Day Usage Government Defense Research
Enterprise & Supply Chain Access
Silk Typhoon
Primary Objective
Reach downstream victims through trusted services.
Core Characteristics
Remote management abuse, application-layer exploitation.
Key Targets
Cloud services, enterprise IT.
Silk Typhoon Supply Chain Attack Downstream Access Remote Management Abuse Application-Layer Exploit Cloud Services Enterprise IT
Policy & Strategic Intelligence
Nylon Typhoon
Primary Objective
Monitor policy and diplomatic decision-making.
Core Characteristics
Credential-based access, legitimate tools, low-noise persistence.
Key Targets
Government, policy, defense entities.
Nylon Typhoon Policy Monitoring Diplomatic Intelligence Credential-Based Access Legitimate Tools Low-Noise Persistence Government Policy Entities Defense

2.0 Operational Tradecraft and Access Patterns

PRC state-sponsored campaigns exhibit a consistent emphasis on stealth, durability, and reuse of compromised infrastructure rather than rapid exploitation or monetization. Initial access is typically achieved by exploiting known, unpatched edge-device vulnerabilities, particularly in network security appliances, followed by post-exploitation activity focused on maintaining long-term access. Instead of deploying traditional malware, operators rely on appliance-resident tooling and living-off-the-land techniques that blend into normal administrative behavior.

Persistence is established through manipulation of preload mechanisms, replacement of legitimate binaries, and timestomping, enabling malicious code to execute across device processes while minimizing forensic artifacts. In some cases, components are staged in non-persistent locations and reconstituted at boot to further reduce on-disk indicators.

Operational control is maintained via lightweight backdoors that support command execution, credential collection, and traffic interception via native management protocols such as SNMP, SSH, and HTTP. Harvested credentials are then used to pivot laterally across trusted devices and interconnected environments. Activity following initial access is highly selective, characterized by sustained observation and infrastructure modification rather than automated scanning, reflecting a mature tradecraft playbook reused across campaigns with only minor adaptation.

2.1 Execution Flow in Intrusions

The observed campaigns follow a repeatable intrusion sequence that prioritizes persistence, internal visibility, and long-term access over rapid exploitation. While specific tooling varies across environments and clusters, the overall execution flow remains consistent and reflects a mature, infrastructure-focused operational model.

Attack Phase Methodology
Initial Access
Activity Description
Exploitation of known, unpatched edge-device vulnerabilities on exposed network appliances, typically without use of zero-day exploits.
Edge Device Exploitation Known Vulnerabilities Unpatched Systems Network Appliances No Zero-Day Required
Foothold Establishment
Activity Description
Deployment of appliance-resident binaries or shared objects designed to execute within existing system processes.
Appliance-Resident Binaries Shared Objects Process Injection System Process Execution
Persistence
Activity Description
Modification of preload mechanisms, replacement of legitimate binaries, and use of timestomping to maintain execution across reboots while minimizing artifacts.
Preload Modification Binary Replacement Timestomping Reboot Survival Minimal Artifacts
Privilege and Process Manipulation
Activity Description
Injection into core services and manipulation of trusted system processes to enable command execution and traffic interception.
Core Service Injection Trusted Process Manipulation Command Execution Traffic Interception
Internal Reconnaissance
Activity Description
Enumeration of running processes, device configurations, authentication services, and network routing information using native management tools.
Process Enumeration Configuration Discovery Authentication Services Network Routing Native Tools
Credential and Traffic Collection
Activity Description
Passive capture of authentication traffic and administrative credentials using built-in packet capture and monitoring capabilities.
Passive Capture Authentication Traffic Credential Harvesting Packet Capture Built-In Monitoring
Lateral Expansion
Activity Description
Use of harvested credentials and trusted connections to access adjacent network devices and pivot into interconnected environments.
Harvested Credentials Trusted Connections Adjacent Device Access Network Pivoting Interconnected Environments

3.0 Infrastructure and Targeting Patterns

Across observed Typhoon campaigns, targeting decisions reflect a consistent preference for infrastructure that provides visibility, access brokerage, or transitive reach rather than direct exploitation of end-user systems. The operators prioritize environments where network position, trust relationships, and management plane access enable downstream compromise at scale. This approach allows single intrusions to yield sustained access across multiple organizations, sectors, and geographies while minimizing operational noise. Targeting patterns observed across campaigns indicate deliberate selection of environments that support long-term access, passive collection, and contingency positioning rather than immediate disruption.

3.1 Priority Target Environments

Targeted Environment Types and Observed Purposes
Telecommunications Providers
Observed Purpose
Access to signaling, metadata, lawful intercept systems, and high-volume traffic flows.
Telecommunications Signaling Access Metadata Collection Lawful Intercept Systems Traffic Flow Monitoring
Internet Service Providers
Observed Purpose
Pivot points for customer networks and regional infrastructure visibility.
ISPs Network Pivoting Customer Network Access Regional Infrastructure Visibility
Managed Service Providers
Observed Purpose
Indirect access to downstream enterprise and government customers.
MSPs Supply Chain Attack Downstream Enterprise Access Government Customer Access Indirect Compromise
Government-Adjacent Enterprises
Observed Purpose
Credential harvesting, administrative visibility, and policy-related intelligence.
Government-Adjacent Credential Harvesting Administrative Visibility Policy Intelligence Strategic Information
Critical Infrastructure Operators
Observed Purpose
Positioning for operational disruption and OT-adjacent visibility.
Critical Infrastructure Pre-Positioning Disruption Capability OT-Adjacent Access Operational Visibility

4.0 Case Studies

Chinese APT Typhoon Events and Significance
Flax Typhoon
2023
Event
Microsoft identified Flax Typhoon conducting persistent access operations against Taiwanese organizations using legitimate tools and minimal malware.
Significance
Demonstrates PRC emphasis on credential abuse and living-off-the-land tradecraft for sustained regional espionage.
Flax Typhoon Taiwan Legitimate Tools Minimal Malware Credential Abuse LOTL Regional Espionage
Volt Typhoon
2024
Event
Exploitation of Fortinet FortiOS SSL VPN vulnerabilities on unpatched FortiGate firewalls to gain initial access to U.S. critical infrastructure environments.
Significance
Confirms real-world edge-device exploitation to enable long-term, low-visibility access consistent with infrastructure pre-positioning objectives.
Volt Typhoon Fortinet FortiOS SSL VPN FortiGate Firewalls U.S. Critical Infrastructure Edge Device Exploitation Infrastructure Pre-Positioning Long-Term Access
Nylon Typhoon
2024
Event
Microsoft reported Nylon Typhoon targeting foreign affairs and diplomatic entities using valid credentials and standard remote access tools.
Significance
Reinforces a credential-centric, low-noise espionage model aligned with long-term diplomatic and policy intelligence goals.
Nylon Typhoon Foreign Affairs Diplomatic Entities Valid Credentials Remote Access Tools Low-Noise Espionage Policy Intelligence
Salt Typhoon
2025
Event
PRC actors associated with Salt Typhoon targeted telecommunications providers through Cisco network devices.
Significance
Underscores the strategic risk of PRC access to telecom infrastructure, enabling sustained collection of communications metadata and potential leverage over critical signaling systems.
Salt Typhoon Cisco Network Devices Telecommunications Metadata Collection Signaling Systems Strategic Risk
Linen Typhoon
2025
Event
Microsoft observed Linen Typhoon rapidly exploiting newly disclosed on-premises Microsoft SharePoint vulnerabilities.
Significance
Illustrates fast weaponization of public vulnerabilities to secure early access into government and critical-sector networks.
Linen Typhoon SharePoint Vulnerabilities Government Critical Sector Rapid Exploitation Fast Weaponization Early Access
Violet Typhoon
2025
Event
Violet Typhoon leveraged SharePoint Server exploitation to access email and identity infrastructure in policy-related organizations.
Significance
Shows targeted intelligence collection focused on policymaker communications and identity systems.
Violet Typhoon SharePoint Server Policy Organizations Email Access Identity Infrastructure Policymaker Communications Intelligence Collection
Silk Typhoon
2025
Event
Silk Typhoon abused trusted IT management and cloud administration platforms to pivot into downstream enterprise environments.
Significance
Demonstrates supply chain and transitive access risk through trusted services rather than direct victim targeting.
Silk Typhoon IT Management Platforms Cloud Administration Enterprise Environments Trusted Services Abuse Supply Chain Risk Transitive Access

5.0 Risk and Impact

The PRC “Typhoon” campaigns demonstrate a sustained capability to establish and maintain long-term access across critical infrastructure, enterprise IT, and telecommunications environments, often by exploiting trusted network devices and management platforms rather than deploying overt malware. By prioritizing edge appliances, virtualization layers, identity systems, and core service infrastructure, these campaigns reduce detection opportunities while enabling broad downstream access to sensitive networks and data flows. The operational impact extends beyond data exposure, as persistent access to telecommunications, energy, and IT management systems creates latent disruption potential that could be activated during periods of geopolitical tension. The reliance on valid credentials, living-off-the-land techniques, and poorly monitored infrastructure components complicates attribution, detection, and eviction efforts. Collectively, these activities increase systemic risk by undermining the integrity and resilience of foundational digital services that support government operations, economic activity, and national security functions.

6.0 Recommendations for Mitigation

6.1 Enforce rigorous patch and configuration management across internet-facing infrastructure

  • Organizations should ensure timely patching of perimeter devices, identity services, virtualization platforms, and management interfaces, coupled with regular configuration audits to reduce exposure from known weaknesses that PRC-linked campaigns consistently exploit.

6.2 Treat network appliances and virtualization management planes as Tier 0 assets

  • Firewalls, VPNs, hypervisors, vCenter-like platforms, and identity federation services should be isolated with dedicated management networks, restricted administrative access, and enhanced logging. These systems should never be assumed “low-risk” simply because they lack traditional endpoint tooling.

6.3 Instrument detection for credential-based and living-off-the-land activity, not just malware

  • Security teams should prioritize the detection of anomalous administrative behavior, such as unusual login timing, lateral movement from appliances, credential reuse across systems, and changes to authentication flows. Telemetry from identity providers, virtualization logs, and network devices should be correlated to identify stealthy persistence.

6.4 Constrain outbound communication and trust relationships from infrastructure systems

  • Critical systems should be restricted to explicitly approved outbound destinations and protocols. DNS, proxy, and VPN usage originating from appliances or management servers should be tightly controlled and continuously reviewed to prevent covert command-and-control or data staging.

6.5 Prepare for long-dwell intrusions with coordinated eviction and recovery planning

  • Given the demonstrated ability of Typhoon campaigns to persist for extended periods, organizations should develop response playbooks that assume partial compromise, include full credential rotation, rebuild affected infrastructure, and carefully sequence to avoid tipping active operators before containment is complete.

7.0 Hunter Insights

China’s Typhoon ecosystem is likely to deepen its focus on pre-positioning inside critical infrastructure, telecom, and managed service environments, emphasizing long-dwell, low-noise access over smash-and-grab operations. Over the next several years, Typhoon clusters will likely expand their use of appliance, and virtualization-resident tooling, living-off-the-land techniques, and credential-centric lateral movement to persist across patch cycles and cloud–on‑prem hybrids, with infrastructure pre-compromise becoming a standing condition rather than a rare event. As operational technology, IoT, and edge platforms become more tightly integrated with core networks, expect more Typhoon activity against routers, 5G cores, industrial IoT, and virtualization management planes to gain both intelligence and latent disruption options at a regional scale.

Future Typhoon operations will also likely show sharper mission specialization across clusters, some tuned for disruptive OT access (Volt-style), others for mass data and SIGINT collection (Flax/Salt-style), and still others for rapid vulnerability weaponization and supply-chain intrusion against cloud, MSP, and identity providers. As global tensions rise, this pre-positioned access is poised to transition from purely espionage-focused to contingency capabilities designed to delay military mobilization, create cascading outages across energy, water, and telecom, and apply coercive pressure without immediate attribution. In response, defenders should anticipate more “malware-light” incidents in which the primary signal is abnormal administrative behavior on trusted infrastructure, making identity-centric monitoring, Tier‑0 isolation, and long-dwell hunt operations foundational requirements rather than advanced practices.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.